{ "mode": "all", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id", "equals": "[parameters('subnetId')]" } ] }, "then": { "effect": "deny" } }, "parameters": { "subnetId": { "type": "String", "metadata": { "displayName": "Subnet Id", "description": "Resource Id for Subnet" } } } }

If you need help on deploying the policy please visit https://docs.microsoft.com/en-us/azure/governance/policy/samples/use-approved-subnet-vm-nics

Step2:

Install and Run Fiddler. Fiddler options-HTTPS-Enable “decrypt https traffic” if you are capturing SSL traffic as well Fiddler options-Connections- Enable “Allow remote computers to connect”

Step3: Restart Fiddler

Step4: On the application side you only need to do this change, add the system.net proxy settings

Now, all the outgoing calls from your Azure AppService should be proxied through Fiddler running on another Azure VM.

In this blog I will try to Explain how bindings are created when you create a Azure Cloud Service and Azure Web App. In the below picture we have a Cloud Service called “contoso.cloudapp.net” and there are two instances of this service running in two different machines (Node1 and Node2).

There is one Virtual IP (Public IP : 1.2.3.4) for the cloud service itself and each of these Nodes will have one internal IP (Node1=10.10.10.10,Node2=10.10.10.11) . Now, at the IIS level in each of these Nodes one IP:PORT binding will be created, what is important is there is no HOST NAME mapped to this binding. The HOST NAME text box above is empty as you can see in the above image.

Observations

In the above observations table we can see the website will load in all scenarios as the binding is set IP:PORT and there is no HOSTNAME.Now, lets see how this defers when we use app Service.

In the below diagram we can see that when you create a app Service there will be HOSTNAME associated with the binding.

Observations

The 404 error is thrown by the ARR, as it would have got internal 404 from the backend NODE rejected by http.sys (404 – NotFound) which expects the request to have HOSTHEADER matching with contoso.azurewebsites.net. Now, if you have traffic manager in front of your app service then another binding will be created with the matching HOSTNAME of your traffic manager. (Here azureAppServicehost is the site name and azuretrafficmanagerhost.trafficmanager.net is the traffic manager Host)

So technically only requests that have these two host headers will work azure app Service unlike Azure Cloud Service.

You need to define a custom Class Implementing IWebProxy as below

Now, you need configure HttpClientHandler in your controller with the custom class (MyHttpProxy) to feed the fiddler proxy settings

Now, the outgoing call from the methods should be proxied through fiddler.

Scenario2: Configure asp.net core process to act as a reverse proxy

We can run asp.net core acting as a reverse proxy, wherein it can route the requests to another backend web server. In the below diagram the client talks to asp.net core over port 443 and asp.net core routes the request to backend service over port 80

There are only couple of things you need to do:

Configure the proxy middleware in the startup.cs

ProxyOptions proxyOptions = new ProxyOptions(); proxyOptions.Host = "yourbackendserver"; proxyOptions.Scheme = "http"; proxyOptions.Port = "80";

you can download the complete sample here https://github.com/fasigpt/fiddlerwithaspnetcore

<system.webServer> <handlers> <add name="aspNetCore" path="" verb="" modules="AspNetCoreModule" resourceType="Unspecified" /> </handlers> <aspNetCore processPath="dotnet" arguments=".\youraspnetcore.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" /> </system.webServer>

The actual process which hosts your code is dotnet.exe running behind IIS process and it cannot access apphost.config file. Because of this architecture, we provide different storage mechanisms to store the encryption keys like file system, Azure Blobs, Registry, Custom Storage (IXmlRepository EX : SQL) through the Microsoft.AspNetCore.DataProtection namespace.

In the above diagram, we have two IIS Servers hosting asp.net core code behind a load balancer like ARR. To configure your application to store these keys, you need to set that up in the “ConfigureServices” method.

The first two method will store those keys in the azure blob storage and in your local registry respectively. The file system will create the keys in a remote/local share and its basically an xml file

I have written an end to end sample that demonstrates Signalr [hosted on Azure Web Role] using the Azure ServiceBus. The Sample also includes SignalrClient hosted in Azure WebJob which calls the SignalR Hub and also a .NET Client (on prem) calling the SignalR Hub.

SignalR Service:

The Service has endpoint configured for Service bus inside the Startup.cs as described here https://docs.microsoft.com/en-us/aspnet/signalr/overview/performance/scaleout-with-windows-azure-service-bus and has a ChatHub.

WebJob:

It has an async method called signalrtask which ends up calling the signalRHub (hosted on WebRole) and if you look at the WebJOb Dashboard you should see all the chat messages sent from all other clients including browser and .Net Client.

You can view the Full Sample here https://github.com/fasigpt/webjobs-Servicebus-signalRonWebRole

If you have not read through these below blogs on async, then you must before you proceed!

https://msdn.microsoft.com/en-us/magazine/jj991977.aspx http://blog.stephencleary.com/2012/02/async-and-await.html

Section A: Understanding the request Flow: If you are new to this concept then you should understand how the request flows and here is one simple example to demonstrate the same.

Everything in the above code will be executed Synchronously, till you hit the line which is decorated with “await”. The operation next to it is called “awaitable operation” which will be asynchronous.

What happens when we hit await: If the awaitable operation is not completed then it returns back to the caller and executes the code in the caller …(few Exceptions though, example if the caller has already been blocked by another await or Task.Wait())

If the awaitable operation is completed then the next line of code after that wait gets executed synchronously. (will discuss this later..)

To make the above sample simpler, I have added response.write to see the flow of Execution and the output that you would see here is

1, 2, 3,5,4

and it is NOT 1,2,3,4,5 because Line5 and Line6 inside getEmployeeDetailsAsync will not execute till getStudentDetailsAsync has finished executing as there is await getStudentDetailsAsync.

Section B: when to use ConfigureAwait()

Once the awaitable operation has finished, the next piece of code of that function will start executing under HttpContext (System.Web.HttpContext) in an asp.net application.

In the above Example, Once Line 4 has finished, Line 5 and Line 6 when they execute they run on a thread linked to asp.net context. The below stack is what you would see when Thread.Sleep is called (Line 4)

Now, Let’s try to change the code to use ConfigureAwait(false)

Now, what happens is the Line5 and Line6 will run on Thread Pool thread which is not LINKED to aspnet context. Here is the stack for the same which shows it doesn’t have any aspnet context linked.

Why do you need ConfigureAwait()

If you read this blog http://blog.stephencleary.com/2012/02/async-and-await.html you can see this sample.

Here is what happens on Button1_Click

-Line 1 Will execute

-call getEmployeeDetailsAsync

-Line 4 will Execute and because it has an await and “awaitable operation” is still running, the control is passed back to Button1_Click

-Line 2 will Execute and since there is a Wait, this will be in hung state and this is what the stack looks like.

-Line 3 can only Execute if Line 4 can finish.

-Now once the Line 4 (awaitable operation) has finished, Line 5 will execute synchronously.

-The problem is Line5, to execute that line it needs aspnet context and that context is already linked to below thread which is owned while executing Line 2 and this will lead to deadlock.

To fix this issues you need to use ConfigureAwait(False) which will make Line 5 and any other code below “await” to run without using the httpContext.

In the classic portal or when you do the classic deployment we have the commands “Set-AzureReservedIPAssociation” and “Set-AzurePublicIP” to create Public Reserved IP and Instance Level Public IP respectively.

You can read the below blogs to understand the difference https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-instance-level-public-ip https://blogs.technet.microsoft.com/canitpro/2014/10/28/step-by-step-assign-a-public-ip-to-a-vm-in-azure/

Now, there may be a slight difference how these IPs behave when you deploy a VM using the new deployment model which is the “Resource Manager” type. The above commands wouldn’t work for the new deployment Model.

Assigning Dynamic Public IP to VM: (using Portal)

When you deploy a VM to one of your Virtual Network, you can configure the Public IP during this time.

The IP is dynamic which means it might change when you reboot the server

Assigning Static Public IP to VM: (using Powershell)

You can list all the IP Addresses allotted to your resource group name using Get-AzureRmPublicAddress. In the below picture we can see there is one dynamic IP

Now, let’s try to get one Static Public IP using PowerShell. Here are the command for the same.

Now lets run the Get-AzureRmPublicAddress again and now we can see another IP in this resource group and this is Static.

You can bind this to a VM from Azure Portal or through powershell Set-AzureRmPublicIpAddress

**Now the difference between these IPs are, the static IP will be reserved even after the machine is re started”

Assigning Static/Reserved IP to Cloud Service:

You cannot assign static IP to web role or Worker role instances but you can assign it to the cloud service only.

Here I am creating a reserved IP and assigning it to my cloud service

And now you can assign using

Set-AzureReservedIPAssociation -ReservedIPName reservedIpForCloudService -ServiceName “yourservice” (you can run get-AzureService to get the servicename)

In an on premise world, there are different ways of implementing Authentication and here are some of the scenarios

Imagine you access ten different public sites and you have ten different usernames and passwords to remember. It’s a tedious Job to remember all different usernames and passwords. If you happen to use same password across all sites and if the password gets hacked then you are in trouble!

Today Social Login is a buzzword which is completely different than our traditional authentication process. This approach integrates applications with third party providers like Facebook ,Twitter ,Google to provide the Single Sign on Experience.

The Azure Active Directory [AAD] provides different Services and one of them is the Identity Management. The AAD provides both options of authenticating an user against domain user and also can help you to easily integrate your application with social login providers (facebook,gmail etc)

To begin with, you need to create an Azure Active Directory B2C ( Business to Consumer) Connect which is basically the Cloud Service which implements OpenID Connect authentication protocol on top of OAuth 2.0. In this Example we will use Visual Studio 2017 to quickly create an asp.net core application and enable Azure Active Directory Based Authentication

Step 1 : Create the Active Directory b2c Connect using the steps outlined here https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started

Step2:

Create an asp.net core project targeting .net Framework

Now, Select Web Application and Click on Change Authentication

Now, Select Work or School Accounts. (Make sure you are using the same account used for azure portal to login to Visual Studio). You will see the b2c tenant listed here (in the Domain Text box) that you created in the step1. Now press OK

Here are some of the things that happens to your MVC project behind the scenes

Now to test the authentication you should create an user on the azure portal for that specific tenant that you created. Here is the snapshot of that flow

Now go ahead and launch the default site of your site and it should take you to the login page on which you can enter the newly created user and password. Once the user is authenticated you should see the Home/Index page loading with the username listed.

The .Net Framework Base Class Library is the base foundation for developing applications, components and Controls as it exposes Several APIS implemented in different namespaces like System.IO, System.Globalization and many more. Under the hood, the actual component that has been refereed to Base Class Library is called MSCORLIb.dll. The actual source has been made open source and is available here https://referencesource.microsoft.com/#mscorlib,namespaces.

To understand this a bit more, let’s see what happens when I create a file from my asp.net web page using the below code.

I attached a debugger to see how File Creation happens from my Page_Load function, and in the below stack we can see it ultimately calls a File Create API which is in MSCORLIB and which in turn would make a native call to OS through kernel32!CreateFile API.

CLR : Common Language Runtime:

Your application code/base class library calls all run on an environment called CLR. The .net framework by default sits in the folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and it has a dll called clr.dll which can be seen below

The clr.dll is the runtime library and implements most functionality including Garbage Collection, Memory Management, Thread management.

Now, let’s look at same of the stacks in action when CLR runtime is handling the above functionalities.

Thread Management: The previous stack that you saw wasn’t complete, but here you can see at the bottom of stack how CLR runtime handles the thread required to execute your code.

Garbage Collection: In the below thread the system.xml needed more space and that allocation was handled through CLR.

CoreFx vs CoreClr:

Base Class Library is for applications targeting full .Net Framework but for asp.net core applications the base class library is called coreFx and in this image we can see how they fit to each framework.

The CoreFx is fully open Source and is available on GitHub https://github.com/dotnet/corefx

When you install .net core , all different versions sit in a default location C:\Program Files\dotnet\shared\Microsoft.NETCore.App

In the below picture you can see the CoreFx libraries (System.Collections. System.IO etc)

And here is the CoreClr dll which implements multiple functionalities including GC